mirror of https://github.com/MISP/MISP
fix: [security] ACL check when adding or removing tags
Jakub Onderka
parent
5611374829
commit
67a9d612d5
|
|
@ -1301,4 +1301,30 @@ class AppController extends Controller
|
|||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns true if user can add or remove tags for given event.
|
||||
*
|
||||
* @param array $event
|
||||
* @param bool $isTagLocal
|
||||
* @return bool
|
||||
*/
|
||||
protected function __canModifyTag(array $event, $isTagLocal = false)
|
||||
{
|
||||
// Site admin can add any tag
|
||||
if ($this->userRole['perm_site_admin']) {
|
||||
return true;
|
||||
}
|
||||
// User must have tagger or sync permission
|
||||
if (!$this->userRole['perm_tagger'] && !$this->userRole['perm_sync']) {
|
||||
return false;
|
||||
}
|
||||
if ($this->__canModifyEvent($event)) {
|
||||
return true; // full access
|
||||
}
|
||||
if ($isTagLocal && Configure::read('MISP.host_org_id') == $this->Auth->user('org_id')) {
|
||||
return true;
|
||||
}
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -2586,7 +2586,7 @@ class AttributesController extends AppController
|
|||
|
||||
public function addTag($id = false, $tag_id = false)
|
||||
{
|
||||
$this->Taxonomy = $log = ClassRegistry::init('Taxonomy');
|
||||
$this->Taxonomy = ClassRegistry::init('Taxonomy');
|
||||
$rearrangeRules = array(
|
||||
'request' => false,
|
||||
'Attribute' => false,
|
||||
|
|
@ -2689,16 +2689,10 @@ class AttributesController extends AppController
|
|||
} else {
|
||||
$attribute = $attributes[0];
|
||||
}
|
||||
if (!$this->userRole['perm_tagger']) {
|
||||
if (!$this->__canModifyTag($attribute, $local)) {
|
||||
$fails++;
|
||||
continue;
|
||||
}
|
||||
if ((!$this->userRole['perm_sync'] && !$this->_isSiteAdmin()) && $attribute['Event']['orgc_id'] !== $this->Auth->user('org_id')) {
|
||||
if (Configure::read('MISP.host_org_id') != $this->Auth->user('org_id') || !$local) {
|
||||
$fails++;
|
||||
continue;
|
||||
}
|
||||
}
|
||||
$eventId = $attribute['Attribute']['event_id'];
|
||||
$event = $this->Attribute->Event->find('first', array(
|
||||
'conditions' => array('Event.id' => $eventId),
|
||||
|
|
@ -2870,19 +2864,7 @@ class AttributesController extends AppController
|
|||
'recursive' => -1,
|
||||
));
|
||||
// org should allow to (un)tag too, so that an event that gets pushed can be (un)tagged locally by the owning org
|
||||
if (
|
||||
(
|
||||
(
|
||||
$this->Auth->user('org_id') !== $event['Event']['orgc_id'] ||
|
||||
(
|
||||
$this->Auth->user('org_id') != Configure::read('MISP.host_org_id') &&
|
||||
!empty($attributeTag['AttributeTag']['local'])
|
||||
)
|
||||
) ||
|
||||
!$this->userRole['perm_tagger']
|
||||
) &&
|
||||
!$this->_isSiteAdmin()
|
||||
) {
|
||||
if (!$this->__canModifyTag($event, !empty($attributeTag['AttributeTag']['local']))) {
|
||||
return new CakeResponse(array('body'=> json_encode(array('saved' => false, 'errors' => 'You do not have permission to do that.')), 'status' => 200, 'type' => 'json'));
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -3383,17 +3383,8 @@ class EventsController extends AppController
|
|||
if ($tag_id === false) {
|
||||
$tag_id = $this->request->data['tag'];
|
||||
}
|
||||
if (!$this->_isSiteAdmin() && !$this->userRole['perm_sync']) {
|
||||
if (
|
||||
!$this->userRole['perm_tagger'] ||
|
||||
(
|
||||
$this->Auth->user('org_id') !== $event['Event']['orgc_id']
|
||||
)
|
||||
) {
|
||||
if (Configure::read('MISP.host_org_id') != $this->Auth->user('org_id') || !$local) {
|
||||
return new CakeResponse(array('body'=> json_encode(array('saved' => false, 'errors' => 'You don\'t have permission to do that.')), 'status'=>200, 'type' => 'json'));
|
||||
}
|
||||
}
|
||||
if (!$this->__canModifyTag($event, $local)) {
|
||||
return new CakeResponse(array('body'=> json_encode(array('saved' => false, 'errors' => 'You don\'t have permission to do that.')), 'status'=>200, 'type' => 'json'));
|
||||
}
|
||||
$conditions = array('LOWER(Tag.name) LIKE' => strtolower(trim($tag_id)));
|
||||
if (!$this->_isSiteAdmin()) {
|
||||
|
|
@ -3570,28 +3561,14 @@ class EventsController extends AppController
|
|||
),
|
||||
'recursive' => -1,
|
||||
));
|
||||
|
||||
if (!$eventTag) {
|
||||
return new CakeResponse(array('body'=> json_encode(array('saved' => false, 'errors' => 'Invalid event - ' . ($galaxy ? 'galaxy' : 'tag') . ' combination.')), 'status'=>200, 'type' => 'json'));
|
||||
}
|
||||
// org should allow to (un)tag too, so that an event that gets pushed can be (un)tagged locally by the owning org
|
||||
if (
|
||||
(
|
||||
(
|
||||
$this->Auth->user('org_id') !== $event['Event']['orgc_id'] ||
|
||||
(
|
||||
$this->Auth->user('org_id') != Configure::read('MISP.host_org_id') &&
|
||||
!empty($eventTag['EventTag']['local'])
|
||||
)
|
||||
) ||
|
||||
!$this->userRole['perm_tagger']
|
||||
) &&
|
||||
!$this->_isSiteAdmin()
|
||||
) {
|
||||
if (!$this->__canModifyTag($event, $eventTag['EventTag']['local'])) {
|
||||
return new CakeResponse(array('body'=> json_encode(array('saved' => false, 'errors' => 'You don\'t have permission to do that.')), 'status'=>200, 'type' => 'json'));
|
||||
}
|
||||
$this->Event->insertLock($this->Auth->user(), $id);
|
||||
$this->autoRender = false;
|
||||
if (empty($eventTag)) {
|
||||
return new CakeResponse(array('body'=> json_encode(array('saved' => false, 'errors' => 'Invalid event - ' . ($galaxy ? 'galaxy' : 'tag') . ' combination.')), 'status'=>200, 'type' => 'json'));
|
||||
}
|
||||
$tag = $this->Event->EventTag->Tag->find('first', array(
|
||||
'conditions' => array('Tag.id' => $tag_id),
|
||||
'recursive' => -1,
|
||||
|
|
|
|||
Loading…
Reference in New Issue